Re: UMP / CORS: Implementor Interest

On Wed, May 12, 2010 at 4:06 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Wed, May 12, 2010 at 3:16 PM, Tyler Close <tyler.close@gmail.com> wrote:
>> On Wed, May 12, 2010 at 1:38 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>>> On Wed, May 12, 2010 at 1:31 PM, Tyler Close <tyler.close@gmail.com> wrote:
>>>> On Wed, May 12, 2010 at 1:13 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>>>>> On Wed, May 12, 2010 at 12:38 PM, Devdatta <dev.akhawe@gmail.com> wrote:
>>>>>> While most of the discussion in this thread is just repeats of
>>>>>> previous discussions, I think Tyler makes a good (and new) point in
>>>>>> that the current CORS draft still has no mention of the possible
>>>>>> security problems that Tyler talks about. The current draft's security
>>>>>> section
>>>>>>
>>>>>> http://dev.w3.org/2006/waf/access-control/#security
>>>>>>
>>>>>> is ridiculous considering the amount of discussion that has taken
>>>>>> place on this issue on this mailing list.
>>>>>>
>>>>>> Before going to rec, I believe Anne needs to substantially improve
>>>>>> this section - based on stuff from maybe Maciej's presentation - which
>>>>>> I found really informative. He could also cite UMP as a possible
>>>>>> option for those worried about security.
>>>>>
>>>>> I agree that the security section in CORS needs to be improved.
>>>>>
>>>>> As for the "should CORS exist" discussion, I'll bow out of those until
>>>>> we're starting to move towards officially adopting a WG decision one
>>>>> way or another, or genuinely new information is provided which would
>>>>> affect such a decision (for the record, I don't think I've seen any
>>>>> new information provided since last fall's TPAC).
>>>>
>>>> A smart guy once told me that "You can't tell people anything",
>>>> meaning they have to experience it for themselves before they really
>>>> get it. Has Mozilla tried to build anything non-trivial using CORS
>>>> where cookies + Origin are the access control mechanism? If so, I'll
>>>> do a security review of it and we'll see what we learn.
>>>
>>> Not to my knowledge, no. I believe we use CORS for tinderboxpushlog
>>> [1], however since that is only dealing with public data I don't
>>> believe it uses cookies or Origin headers.
>>
>> Does anyone have something?
>
> At the risk of getting myself involved in this discussion again, you
> might consider doing a security analysis of Facebook Chat.  Although
> Facebook Chat uses postMessage, it uses both cookies and postMessage's
> origin property for authentication, so it might be a system of the
> kind you're interested in analyzing.
>

I think (although I'm not certain) that Tyler is asking partially to
figure out where a non-anonymous CORS request is used in the real
world. If he isn't, then I am :)

Given that a major (but not the only) claim of the need to adopt CORS
with support for cookies and the Origin header is that it is in fact
already implemented and shipping, it would be good to see how it's
being used. If we can't find any examples of it being used (in the
non-anonymous case, at least), then the argument against us having to
keep it would hold less water. If we can find it being used, then we
can see both how we would handle the case with UMP, and whether or not
the CORS usage is in fact secure.

-- Dirk

Received on Wednesday, 12 May 2010 23:38:55 UTC